cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ajaypandey
Level 7
Report Inappropriate Content
Message 1 of 9
‎09-02-2016 11:58 PM

Rule message showing 0

Hi Team,

I am getting Rule message-0 for many events and for many data sources in SIEM. When I am clicking on show rule -- it shows "Error not found".

Kindly help how to edit that rule so that i can get Rule message name.

Thanks in advance.

Regards,

0 Kudos
Reply
8 Replies
acommons
Level 11
Report Inappropriate Content
Message 2 of 9
‎09-04-2016 02:58 AM

Re: Rule message showing 0

You may want to look at KB83649 "SIEM rule message names appear as '0' after a rule purge":

https://kc.mcafee.com/corporate/index?page=content&id=KB83649&snspd-0115

My not be applicable but  could give you some leads.

cheers,

Andrew

0 Kudos
Reply
proxima
Level 10
Report Inappropriate Content
Message 3 of 9
‎09-05-2016 03:44 PM

Re: Rule message showing 0

Hi,

Probably the rule which you are looking for was deleted. In the most cases 0 in the rule name appear only then the data source (or auto learn) rule was deleted/purged. it will be visible again when the logs come to your system and parsed with the same asp rule which correspond to the deleted rule - also all rule names will change the name to proper data source rule.

But off course you must have proper asp rule...

Regards

MK

0 Kudos
Reply
ajaypandey
Level 7
Report Inappropriate Content
Message 4 of 9
‎09-05-2016 10:34 PM

Re: Rule message showing 0

Hi MK,

Thanks for your reply.

Is there any way to configure data source rule so that it start parsing again.

Also logs are coming as Rule message as 0 for many data sources.

Need your help in resolving this issue as I am new in Nitro SIEM.

Thanks...

0 Kudos
Reply
itgfcsys
Level 9
Report Inappropriate Content
Message 5 of 9
‎09-08-2016 11:38 AM

Re: Rule message showing 0

I've run into this recently, We found that it was related to the policy and roll-out status. we had rules titled 0, the partial names, and finally the full name after some updates. Tried a manual rule update and that seemed to resolve our issue.

0 Kudos
Reply
proxima
Level 10
Report Inappropriate Content
Message 6 of 9
‎09-08-2016 04:22 PM

Re: Rule message showing 0

Nice to hear that

Regards

MK

0 Kudos
Reply
ajaypandey
Level 7
Report Inappropriate Content
Message 7 of 9
‎09-11-2016 03:58 AM

Re: Rule message showing 0

Hi,

Thanks for reply.

I tried doing manual rule updates and rolled out the policy.

But no luck.

Regards,

0 Kudos
Reply
itgfcsys
Level 9
Report Inappropriate Content
Message 8 of 9
‎09-17-2016 07:54 PM

Re: Rule message showing 0

I've just run into the 0 rule name again, it was definitely incremental and consistent with a rule updates, but we did find some missing rules, Im not sure if the two sets of symptoms are related.

0 Kudos
Reply
ajaypandey
Level 7
Report Inappropriate Content
Message 9 of 9
‎09-05-2016 10:32 PM

Re: Rule message showing 0

Hi Andrew and MK,

Thanks for the reply.

@ MK,

Is there any way to configure data source rule so that it start parsing again.

Also logs are coming as Rule message as 0 for many data sources.

Need your help in resolving this issue as I am new in Nitro SIEM.

Thanks...

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC